GlobalProtect Portals Authentication Configuration Tab
Select NetworkGlobalProtectPortals<GlobalProtect-portal-config>Authentication to configure the various GlobalProtect™ portal settings:
- An SSL/TLS service profile that the portal and servers use for authentication. The service profile is independent of the other settings in Authentication.
- Unique authentication schemes that are based primarily on the operating system of the user endpoints and secondarily on an optional authentication profile.
- (Optional) A Certificate Profile, which enables GlobalProtect to use a specific certificate profile for authenticating the user. The certificate from the client must match the certificate profile (if client certificates are part of the security scheme).
GlobalProtect Portal Authentication Settings
SSL/TLS Service Profile
Select an existing SSL/TLS Service profile. The profile specifies a certificate and the allowed protocols for securing traffic on the management interface. The Common Name (CN) and, if applicable, the Subject Alternative Name (SAN) fields of the certificate associated with the profile must match the IP address or FQDN of the Interface selected in the General tab.
In GlobalProtect VPN configurations, use a profile associated with a certificate from a trusted third-party CA or a certificate that your internal enterprise CA generated.
Enter a name to identify the client authentication configuration. (The client authentication configuration is independent of the SSL/TLS service profile.)
You can create multiple client authentication configurations and differentiate them primarily by operating system and additionally by unique authentication profiles (for the same OS). For example, you can add client authentication configurations for different operating systems but also have different configurations for the same OS that are differentiated by unique authentication profiles. (You should manually order these profiles from most specific to most general. For example, all users and any OS is the most general.)
You can also create configurations that GlobalProtect deploys to apps in Pre-logon mode (before the user has logged in to the system) or that it applies to any user. (Pre-logon establishes a VPN tunnel to a GlobalProtect gateway before the user logs in to GlobalProtect.)
To deploy a client authentication profile specific to the operating system (OS) on an endpoint, Add the OS (Any, Android, Chrome, iOS, Linux, Mac, Windows, or WindowsUWP). The OS is the primary differentiator between configurations. (See Authentication Profile for further differentiation.)
The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect app (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite (LSVPN).
In addition to distinguishing a client authentication configuration by an OS, you can further differentiate by specifying an authentication profile. (You can create a New Authentication Profile or select an existing one.) To configure multiple authentication options for an OS, you can create multiple client authentication profiles.
If you are configuring an LSVPN in Gateways, you cannot save that configuration unless you select an authentication profile here. Also, if you plan to use serial numbers to authenticate satellites, the portal must have an authentication profile available when it cannot locate or validate a firewall serial number.
See also Device > Authentication Profile.
Specify a custom username label for GlobalProtect portal login. For example, Username (only) or Email Address (username@domain).
Specify a custom password label for GlobalProtect portal login. For example, Password (Turkish) or Passcode (for two-factor, token-based authentication).
To help end users know the type of credentials they need for logging in, enter a message or keep the default message. The maximum length of the message is 256 characters.
(Optional) Select the Certificate Profile the portal uses to match those client certificates that come from user endpoints. With a Certificate Profile, the portal authenticates the user only if the certificate from the client matches this profile.
The certificate profile is independent of the OS. Also, this profile is active even if you enable Authentication Override, which overrides the Authentication Profile to allow authentication using encrypted cookies.
GlobalProtect Gateway Authentication Tab
GlobalProtect Gateway Authentication Tab Select Network GlobalProtect Gateways Authentication to identify the SSL/TLS service profile and to configure the details of client authentication. You can ...
Configure the Portal
Configure the Portal After you have completed the GlobalProtect Portal for LSVPN Prerequisite Tasks , configure the GlobalProtect portal as follows: Add the portal. Select ...
Configure the Portal to Authenticate Satellites
Configure the Portal to Authenticate Satellites In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing ...
Define the GlobalProtect Client Authentication Configurations
Define the GlobalProtect Client Authentication Configurations Each GlobalProtect client authentication configuration specifies the settings that enable the user to authenticate with the GlobalProtect portal. You ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Kerberos Authentication Support for macOS
The GlobalProtect app for macOS endpoints (10.10 and later releases) now supports Kerberos V5 SSO. ...
Enable Two-Factor Authentication Using One-Time Passwords (...
Enable Two-Factor Authentication Using One-Time Passwords (OTPs) Use this workflow to configure two-factor authentication using one-time passwords (OTPs) on the portal and gateways. When a ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect to require users to authenticate to both a certificate ...
SAML SSO for GlobalProtect on Chromebooks
The GlobalProtect app for Chromebooks now supports SAML single sign-on. ...